I started down the journey of FortiManager and near zero touch provisioning with CLI Templates. After a solid week of trial and error, I completed the setup this evening and was extremely happy to see the final result, until I tried testing the policies.
My internal network can reach the internet using the SDWan interface, but it cannot reach any resource across the IPSec tunnel. The hit counts aren't even incrementing on any of the policies I'd be hitting. I setup a debug flow and the output below appears to be trying to route into the tunnel but nothing on the policy hit counters on either side.
I am wondering if it's because I used an IPSec aggregate interface on the branch side but not on the Datacenter side. We're in process of upgrading to 6.4.6 and are starting with the branches. The ultimate goal is dual Internet circuits at each site with 2 tunnels to the datacenter, but this site, and most others, currently have a single Internet circuit. The plan was to start with an Aggregate interface with a single member and add members as we add Internet circuits/IPSec tunnels.
I appreciate the response. Long term, the plan is to add a second IPSec tunnel, I was just hoping to lay the foundation now so when the second Internet circuit/tunnel is added, it would just be a matter of adding the tunnel to the aggregate.
Rather than using aggregate, I decided to switch to an SDWAN zone instead. This is my first time adding a second SDWAN zone and I am happy to see my testing is working out.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.